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Information Commissioner’s Office 


The Information Commissioner’s response to HM Treasury’s 
consultation on Transposition of the Fifth Money Laundering 
Directive. 


The Information Commissioner has responsibility for promoting and 
enforcing the EU General Data Protection Regulation (‘GDPR’), the Data 
Protection Act 2018 (‘DPA’), the Freedom of Information Act 2000 
(‘FOIA’), the Environmental Information Regulations 2004 (‘EIR’) and the 
Privacy and Electronic Communications Regulations 2003 (‘PECR’). She is 
independent from government and upholds information rights in the 
public interest, promoting openness by public bodies and data privacy for 
individuals. The Commissioner does this by providing guidance to 
individuals and organisations, solving problems where she can, and taking 
appropriate action where the law is broken. 


The Commissioner welcomes the opportunity to respond to the HM 
Treasury consultation on Transposition of the Fifth Money Laundering 
Directive (SMLD). 


We have reviewed the consultation paper and identified that the current 
focus of many of the questions do not specifically require data protection 
input from this office at this time. However, there are aspects of the 
proposed changes under 5MLD that may have implications for the privacy 
of individuals. 


Data protection is not, and should not be seen, as a barrier to an effective 
anti-money laundering and counter-terrorist financing regime. It is 
possible to introduce the changes required by 5MLD in a way that takes 
account of data protection legislation. 


It is important that the implementation of 5MLD takes account of the data 
protection obligations of organisations and the data protection rights of 
individuals. A policy approach that considers data protection early in the 
design process, as required under GDPR, is likely to reduce the risk that 
concerns will be raised with the ICO in future regarding the lawfulness 
and fairness of the UK’s anti-money laundering regime. 
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The ICO is currently engaging with HM Treasury on a wider piece of work 
in the Economic Crime Plan which includes the implementation of aspects 
of 5MLD. 


The ICO therefore welcomes the opportunity to engage with HM Treasury 
and relevant stakeholders involved to discuss the data protection and 
privacy implications resulting from the proposed transposition of 5MLD. In 
particular, the ICO makes the following observations: 


Trust Registration Service (TRS) 


The ICO believes consideration should be given to the data protection 
implications around widening current trust registration services to include 
additional trust classifications. We note the acknowledgement that some 
personal data collected under 4MLD was onerous to customers and the 
government is to review and “ideally reduce information collected”. The 
ICO reiterates the necessity to consider data minimisation in the collection 
and processing of personal data and would support a review of what 
information is considered to be necessary and proportionate. 


It is noted that obliged entities will be required to establish whether a 
trust is registered with the TRS prior to undertaking a business 
relationship. In these circumstances, the trust would be best placed to 
provide this confirmation, rather than the third party directly approaching 
the TRS for this evidence. This would ensure that only those requiring the 
information are provided with it and reduces the risk of third parties 
accessing the register where they should not be doing so. 


The data included in the register would alone, or in combination with 
other available data, pose a risk of identity theft if made public and, as 
such, appropriate technical and organisational measures must be taken to 
ensure a level of security appropriate to that risk. 


We also note that the consultation paper states that “the government 
may choose to collect some additional information with which to establish 
the legal identity of individuals; for example, National Insurance or 
passport numbers.” We would again reiterate the data minimisation 
requirements of the GDPR, and the increased risk that comes with the 
collection of more information. If the government intends to collect more 
personal data than that required by law, it must be able to clearly explain 
what the purpose of this is, and why the specific personal data being 
collected is necessary for that purpose. 


The definition of legitimate interest for the purposes of accessing the TRS 


must be robust and must not facilitate the release of personal data to 
third parties where AML concerns cannot be demonstrated. Further, the 
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type of data released should be closely considered; it may be unnecessary 
for all data held on the TRS to be released to a third party under a 
legitimate interest request — guidance or rules may be required to provide 
clarity. It should also be made clear that the concept of “legitimate 
interest” in this context is separate from the concept of “legitimate 
interests” as a lawful basis for processing under Article 6(1)(f) of the 
GDPR!. 


National Register of Bank Account Ownership 


It is noted that a national register of bank account ownership is required 
and personal data will be held on this register. Of concern to the ICO is 
the question raised in the consultation around whether specific types of 
unique identifier would be useful to law enforcement authorities. As with 
the use of such information in relation to the TRS, the use of passport 
number or national insurance numbers should only be sought where it can 
be demonstrated that this is necessary for the purposes for which the 
national register of bank account is intended. Additional personal data 
should not be sought simply because it may be useful to those who 
access the database for other purposes. 


Further Considerations 


In implementing 5MLD, there is a possibility of cross border data sharing 
to third countries outside of the EEA. Consideration of the data protection 
implications associated with these obligations is required. 


GDPR Art 36.4 Consultation 


The ICO welcomes the opportunity to formally consult with HM Treasury 
under Art 36.4 of the GDPR in respect of the data protection implications 
under the proposed transposition. 


t ICO Guidance on Legitimate Interests as a lawful basis for processing under the GDPR: https://ico.org.uk/for- 
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for- 
processing/legitimate-interests/ 

2 DCMS Guidance on the application of Article 36(4) of the General Data Protection Regulation (GDPR): 
https://www.gov.uk/government/publications/guidance-on-the-application-of-article-364-of-the-general- 


regulation-gdpr 
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